On Dec 12, 2007 2:39 PM, John <[EMAIL PROTECTED]> wrote:
> Joost van der Sluis wrote:
> > Op woensdag 12-12-2007 om 22:51 uur [tijdzone +1100], schreef John:
> >
> >> ik wrote:
> >>
> >>> One small note, you have an SQL injection at your code. I recommend
> >>> you to use parameters as how to add the values, but prior to that, you
> >>> should check to see if there are invalid chars, and trim them. That
> >>> way, you can avoid a lot of problems.
> >>>
> >>> Ido
> >>>
> >>>
> >> Perhaps you should explain what is so terrible about a "SQL injection"
> >> ? I have heard of this before, but not the reason. I do this regularly
> >> and it seems to work fine!
> >>
> >
> > Suppose the query is like this: (from some mails earlier)
> >
> > MainForm.SQLQuery1.SQL.Add('SELECT revID from rev WHERE
> > revName='+#39+CBProcessRev.Text+#39);
> >
> >
> > Oh, yes it works. Until...
> >
> > A user types " '; drop table rev;" in CBProcessRev.
> >
> > Well, that will still work. But only once. ;)
> >
> > Joost
> >
> > (btw: this won't work with all TSQLConnections, because some don't
> > accept a semicolon)
> >
> >
> So the issue is accepting the text straight from the user input, not the
> fact that the query text is constructed rather than using a parameter
> ? When I say I do it all the time, it is far more likely to be
> something like 'select * from sometable where ref = ' +
> IntToStr(AnIntegerValue), or some otherwise well-validated expression.
Make sure first of all to have only the valid chars, then escape all
potentially exploitable chars (such as ' /* -- ; and so on).
The thing with Injection (regardless of SQL) is that I can use any
type of content I wish to make in order to make sure that I can
effect/gain things that I can't any other way.
I usually create a filter function such as follows:
function filterChars (const Value : string; chars : TCharset) : string;
var
i : integer;
begin
Result := '';
for i := 1 to length (Value) do
if (Value[i] in chars ) then
Result := Result + Value[i];
end;
I just rewrite it from my head... It will remove any chars that are
not part of the "chars" parameter, making it clean from un needed
chars. then I'll escape any string chars by converting ' into \' or ''
(depands on the database). The thing with parameters (anonymous or
named) is that the database itself makes the escaping for you.
>
> Don't get me wrong, I actually prefer to use parameters in such a
> circumstance if I can get them to work, especially if the sql is
> executed repeatedly with different criteria.
I recommand you to read my guide for secure programming:
http://wiki.freepascal.org/Secure_programming
Or in a newer version:
http://ik.homelinux.org/index.rhtml/guides/secure_programming
>
> cheers,
> John Sunderland
>
>
Ido
--
http://ik.homelinux.org/
_________________________________________________________________
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject
archives at http://www.lazarus.freepascal.org/mailarchives
